diff --git a/app/controllers/users/omniauth_callbacks_controller.rb b/app/controllers/users/omniauth_callbacks_controller.rb
index 8809e94d4c0..6b0409e2a49 100644
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@@ -115,6 +115,8 @@ class Users::OmniauthCallbacksController < ApplicationController
     # automatically activate/unstage any account if a provider marked the email valid
     if @auth_result.email_valid && @auth_result.email == user.email
       user.update!(staged: false)
+      # ensure there is an active email token
+      user.email_tokens.create(email: user.email) unless user.email_tokens.active.exists?
       user.activate
     end
 
diff --git a/app/models/user.rb b/app/models/user.rb
index 0743ff766dc..33b3d0b6eb9 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -689,8 +689,7 @@ class User < ActiveRecord::Base
   end
 
   def activate
-    email_token = self.email_tokens.active.first
-    if email_token
+    if email_token = self.email_tokens.active.first
       EmailToken.confirm(email_token.token)
     else
       self.active = true
diff --git a/spec/integration/omniauth_callbacks_spec.rb b/spec/integration/omniauth_callbacks_spec.rb
index 59b22b2ff45..2f855576963 100644
--- a/spec/integration/omniauth_callbacks_spec.rb
+++ b/spec/integration/omniauth_callbacks_spec.rb
@@ -49,13 +49,13 @@ RSpec.describe "OmniAuth Callbacks" do
       end
 
       it 'should return the right response' do
+        expect(user.email_confirmed?).to eq(false)
+
         events = DiscourseEvent.track_events do
           get "/auth/google_oauth2/callback.json"
         end
 
-        expect(events.map { |event| event[:event_name] }).to include(
-          :user_logged_in, :user_first_logged_in
-        )
+        expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
 
         expect(response).to be_success
 
@@ -66,6 +66,27 @@ RSpec.describe "OmniAuth Callbacks" do
         expect(response_body["awaiting_approval"]).to eq(false)
         expect(response_body["not_allowed_from_ip_address"]).to eq(false)
         expect(response_body["admin_not_allowed_from_ip_address"]).to eq(false)
+
+        user.reload
+        expect(user.email_confirmed?).to eq(true)
+      end
+
+      it "should confirm email even when the tokens are expired" do
+        user.email_tokens.update_all(confirmed: false, expired: true)
+
+        user.reload
+        expect(user.email_confirmed?).to eq(false)
+
+        events = DiscourseEvent.track_events do
+          get "/auth/google_oauth2/callback.json"
+        end
+
+        expect(events.map { |event| event[:event_name] }).to include(:user_logged_in, :user_first_logged_in)
+
+        expect(response).to be_success
+
+        user.reload
+        expect(user.email_confirmed?).to eq(true)
       end
 
       context 'when user has not verified his email' do